The Legal Implications of Cybersecurity When Collecting Personal Information

Understand the Stakes of Collecting Personal Information

Cybersecurity law has been called many things in recent years—evolving, complex, varied, cutting-edge, even hilarious. Ok, maybe not the last one. But I would offer another phrase that can serve as a key takeaway from this article. This phrase also highlights the importance of strong cybersecurity from a legal perspective when collecting personal information. That phrase would be: creating victim-defendants.

I know it doesn’t exactly roll off the tongue, but it exemplifies an important aspect of cybersecurity law: If victimized by a hacker, your business could be sued as a result of the data breach.

If you think of personal information as belonging to the customers or employees who provided their data, rather than as belonging to the business, you’ll see why cybersecurity raises many legal issues.

Businesses are accustomed to protecting their own sensitive information, such as trade secrets and financial information. If that information were stolen, the business would have a claim against the bad actor and wouldn’t necessarily expect to be sued.

Cybersecurity law is different because businesses often are sued after a data breach.

If you think of personal information as belonging to the customers or employees who provided their data, rather than as belonging to the business, you’ll see why cybersecurity raises many legal issues. You’ll also see how a business victimized by a data breach can become a defendant in a lawsuit.

The following are some of the major aspects of cybersecurity law. Understanding these issues will go a long way toward creating a legally compliant cybersecurity program and avoiding becoming a victim-defendant after a data breach.

The Basics of Collecting Personal Information

Cybersecurity law pertains to when an individual’s “personal information” is stolen or otherwise accessed by someone without authority. [Editor’s Note: If you’re interested in cybersecurity law, you might also be interested in theEuropean Union Data Privacy and Protection Regime.] Businesses should understand what constitutes “personal information” as they often hold more of it than they realize.

Generally, personal information is someone’s name in combination with another valuable piece of data about that person. It could be a social security number, driver’s license or other government-issued identification number. It could also be a financial account number, medical information, or biometric data (fingerprints, for example), among others. Personal information also can include someone’s login credentials to an online account.

Think of personal information as data that can be used to steal someone’s identity (credit card or healthcare fraud) or lead to information to steal someone’s identity (login credentials to an online account).

As explained below, businesses have legal obligations when collecting personal information to safeguard and to respond to a data breach appropriately.

The Need for Cybersecurity Insurance

Businesses collecting personal information electronically should have cybersecurity insurance. As Shark Tank’s Robert Herjavec put it, “We’re in a very challenging time where warfare is being fought in cyberspace and the threats aren’t going to slow down anytime soon.”

Cybersecurity insurance is typically a separate policy or a rider to an existing policy. It is often overlooked by businesses because they don’t realize that general liability or crime policies often exclude coverage for data breaches. The best practice is to make sure adequate cybersecurity insurance coverage is in place.

The cybersecurity policy should cover the common causes of a data breach, such as:

Phishing

Business email compromise

Ransomware

Software or network vulnerabilities

The cybersecurity policy also should cover the common costs of a data breach, such as:

Notification expenses

Forensic expenses

Legal fees

Loss of business

Data recovery costs

Cyber-extortion loss (ransomware)

Payment card penalties

Regulatory fines

Litigation costs

In other words, the cybersecurity insurance policy should cover expenses incurred both as a victim and as a defendant.

Collect and Store Only by Necessity

If you view each piece of personal information as a potential liability, you will be more selective in the information you collect and store. The bottom line from a cybersecurity law standpoint is to collect only the personal information you need to operate the business and keep it only as long as necessary to serve its purpose.

When collecting personal information from individuals, businesses should assess and identify the need for it. If the rationale for collecting certain information is along the lines of, “We’ve always done it this way because it’s on our form,” the business should consider stopping the collection of that information.

Likewise, if the business maintains records indefinitely “just because”, without any continued need for the personal information, that information should be deleted or destroyed. Unless, of course, the information must be kept under other law (such as tax law).

If the rationale for collecting certain information is along the lines of, “We’ve always done it this way because it’s on our form,” the business should consider stopping the collection of that information.

Collecting only the information needed to operate the business and keeping that information only as long as necessary to serve its purpose would narrow the scope of potential liability from a data breach. Each piece of personal information represents a potential notification the business would have to send, and a potential plaintiff the business would have to defend against, after a data breach.

Adam Brouillet is a data privacy and cybersecurity attorney with Trenam Law in St. Petersburg, Florida. He advises clients on legal issues relating to information privacy, including cybersecurity standards, vendor contracts, insurance, business transactions, and data-breach response obligations. Adam also represents clients in commercial disputes in trial and appellate courts.